1

I'm trying to get my network up and running with my new provider's vdsl router, which can't operate in "modem-mode" or "bridge-mode".

My setup so far is as follows:

I have two managed switches, both with several 192.168.x.0/24 vlans (vlanX is mapped to network 192.168.X.0/24). All these vlans are connected over a trunk port to my openbsd firewall (ip forwarding enabled). Each computer on the network has the address of the virtual nic on the firewall set as default gateway. For example, the network for vlan20 is 192.168.20.0/24, the firewall has the address 192.168.20.1 and this address is set as the default gateway for each client on this vlan. With this setup, I can ping between all clients on the same or different vlans/switches.

Here comes the problem: The VDSL-Router is connected to the firewall via another dedicated 192.168.x.0/24 vlan, say 192.168.100.0/24, with the firewall ip 192.168.100.2 and the vdsl-router ip 192.168.100.1. I've setup 192.168.100.2 as the default gateway on the firewall and can now sucessfully reach the internet from the firewall, but not from my other machines. Traceroute shows that the packets are stuck at the gateway of the client-vlan, for example, if I try to reach something outside from client 192.168.20.100, packets are stuck at the client gateway 192.168.20.1.

I have disabled all firewall rules (for testing purposes) and also tried enabling nat on the firewall for the vdsl-vlan (the vdsl-router of course does its own nat on the internet port as well). Am I missing something obvious?

The vdsl-router is connected to an "access" port of the switch and thus not aware of the vlan. Also, due to physical restrictions, I can't remove one of the switches in between.

Thanks for your help!

network

herrsimon
  • 111
  • 2
  • It sounds like the config for the OpenBSD firewall might be the culprit, more info on that would be helpful. IP forwarding should be configured correctly. VLAN 20, for example, should have a default route of 192.168.100.2 and know how to route to that VLAN. – armani Mar 03 '15 at 19:27
  • I've set net.inet.ip.forwarding=1 via sysctl. Unless I'm getting something wrong, this should have the effect that if a packet arrives on any of the interfaces with a destination not on the corresponding subnet, it is forwarded according to the routing table. Here's an excerpt of the table (mac addresses partially greyed out), I've only added the default route manually: http://pastebin.com/KDnjSSyB – herrsimon Mar 03 '15 at 20:00
  • In that case it looks fine from a routing perspective. Sorry I'm no further help – armani Mar 03 '15 at 20:13

1 Answers1

1

Maybe I'm missing something from your setup but here's what I think is the issue.

If the Modem is connected to one of the switch as pictured in your design via an access port, then that modem needs to have routes for all of your VLAN pointing back to your OpenBSD firewall.

That would explain why the Modem seems to only "see" the Firewall since it's layer 2 all across. But it would fail to reach one of the PC because the Modem does not know about any other IP routes (execept for the directly connected ones).

Alex
  • 3,129
  • 21
  • 28
  • Good point, but then if I do nat on the vlan-port of the firewall which is connected to my vdsl-router, the problem should disappear, right? Unfortunately, it doesn't... Just to be clear: The vdsl-router also does nat towards the internet and runs its own dhcp server. I have simply connected a vlan interface of the firewall to one of the internal ports of the vdsl-router (that there's a switch in between shouldn't make a difference). – herrsimon Mar 03 '15 at 20:57
  • And what does the NAT rule look like? Do you NAT behind the external interface of the firewall or behind another IP? – Alex Mar 03 '15 at 21:13
  • I NAT behind the external interface of the firewall. Strangely enough, after inserting the routes to my vlans on my vdsl-router as you suggested, things are working now (with NAT on the firewall). Apparently, I haven't understood something about IP-networking... again, in my opinion these routes shouldn't be necessary as the vdsl-router just needs to know how to reach the NAT-Interface on the firewall. I'll look into it further when I have more time (i.e. on the weekend). Anyway, thanks for your help! – herrsimon Mar 04 '15 at 11:50